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Electronic Commerce 

The present invention relates to a system that enhances the security of 
apparatus traded using electronic commerce. 

The term "electronic commerce" is used in this document broadly to 
encompass trading systems using information and communication technologies. It 
includes, both on-line retailing via the public Internet, and electronic point of sale 
(EPOS) systems used on conventional retail premises. Furthermore, it encompasses 
systems where the underlying network technology may be, for example, optical 
rather than electronic. 

Increasing numbers of goods are being sold using electronic commerce 
systems. In the case of on-line trading via the Internet, the delivery of goods may 
often involve long and complex supply chains. It is not unusual for goods 
manufactured in one country, for example, Japan, to be ordered from a retail website 
in another country, for example the US for delivery to a third country, for example 
the UK. In such cases, theft of goods in the supply chain is potentially a serious 
problem. This problem is compounded by the possibility of some part of the 
electronic commerce system being "hacked" giving thieves knowledge of the 
impending delivery of high value goods to a certain destination. Even where less 
extensive electronic commerce systems are involved, such as a local area network in 
a retail outlet using EPOS terminals, there is still a risk of goods being stolen prior to 
being installed at the customer premises. 

According to a first aspect of the present invention there is provided a 
method of operating an electronic commerce system, including: 

a) receiving at a point of sale device a customer transaction order for a 
customer apparatus, and 

b) subsequently conveying the customer apparatus to the customer, 
characterised by a step initiated at the point of sale device of programming the 
customer apparatus with a permission code specific to a customer location and in 
that at least some of the capabilities of the apparatus are inhibited until and unless a 
corresponding permission code is supplied to the customer apparatus when installed 
at the customer location. 
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The term "point of sale device" encompasses, for example, an e-commerce web 
server carrying out transactions remotely over the Internet with the customer as well 
as an EPOS terminal used with the customer physically present as in the specific 
embodiment described below. 
5 The invention significantly enhances the security of the supply chain, by 

programming goods at the point of sale with a security code. Once programmed, the 
goods can only become fully operational if the corresponding code is supplied to the 
apparatus. Accordingly, the value of the apparatus to any third party who does not 
have the corresponding permission code is greatly reduced. 
10 Preferably the data identifying the customer is read from a transaction card 

holding customer account data. 

Another important advantage of the present invention in its preferred 
implementations is that it is able to enhance the security of transaction cards such as 
magnetic stripe cards or smart cards arranged to function as debit cards or credit 
15 cards. Using this aspect of the invention, even if such cards are stolen, they are of 
little value to the thief, since goods purchased with the card will only function at the 
location associated with the true owner o the card. The data used to identify the 
customer in these cases, may be the credit card account data itself, typically 
comprising an account name and a card number and expiry date. Alternatively, the 
20 card may include additional information specifically for use in programming the 
apparatus. The data may be validated against biometric data such as an iris print, a 
voice print or a thumb print. 

Preferably the method includes reading at the point of sale device data 
identifying the customer, and communicating to a remote operations centre 
25 connected to the electronic commerce system by a communications network a 
request for the said permission code specific to the customer location and receiving 
the said code from the remote operations centre via the communications network. 
Preferably, at the customer location the corresponding permission code is received 
from the remote operations centre by an interface unit in communication with a 
30 plurality of customer apparatuses. 

In published European Patent Applications Nos. 675626 and 960407 the 
assignee of the present invention has disclosed improved security systems using an 
interface ("Home Control Centre") between the public switched telephone network 
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(PSTN) and appliances in customer premises whereby such apparatus may be less 
attractive to thieves since without certain permissions obtained by way of the PSTN 
from a remote operations centre the appliance will not function. 

In further developments of the system of EP960407 disclosed in co-pending 
5 European patent applications Nos. 99302132, 99302133, 99302134 and 99302149 
alternative communications methods for both communication within the customer 
premises and communication between the home control centre and a permission 
granting arrangement were disclosed. 

In yet a further development disclosed in co-pending European Patent 
10 Application no. 99307981, the customer premises interface was developed to 
provide an environmental alarm arrangement for simple installation and use in 
communal premises, for example to provide smoke or fire detection in an apartment 
block. 

A brief introduction to the earlier arrangement and its operation will facilitate 
15 understanding of the invention hereinafter disclosed and claimed. However, for a full 
description of the operation of the basic system the reader should refer to the earlier 
applications referred to above. 

Thus referring to Figure 1 , in one form a control and communications 
network uses the PSTN 1 to effect communications between a remote operations 
20 centre 4 and customer premises 3. It will be appreciated that for simplicity only one 
remote operations centre is shown although there may be many such centres 
distributed across the PSTN. 

In each customer premises 3, a home control centre 2 provides an interface 
for communication on the one hand by way of the customer telephone line 7 and the 
25 PSTN with the remote operations centre and on the other hand by way of the mains 
electricity supply 6 of the customers premises 3 with suitably adapted electrical 
appliances 5. 

Although reference in the earlier application was to the two forms of 
communication mentioned, that is by superimposition of signalling on the supply line 
30 6 and by way of the PSTN, it is noted that other communications arrangements have 
been proposed by the proprietor of this application including but not limited to use of 
cellular radio networks, satellite communications and radio and Internet links between 
the home control centre 2 and the remote operations centre 4. Communication 
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between the home control centre 2 and appliances 5 may be by way of low power 
radio such as DECT, by way of an Intranet or by way of telephony wiring for 
example. 

Also shown in Figure 1 is a repatriation unit 8 which enables stolen property 
to be identified by authorised persons for return to the owner. It will be appreciated 
that other control centres accessible by way of the PSTN may also benefit from the 
arrangement. 

According to another aspect of the present invention, there is provided point 
of sale system for use in electronic commerce characterised by a programming data 
interface for connection to a customer apparatus and arranged to programme the 
customer apparatus with a permission code specific to a customer location whereby, 
in use, least some of the capabilities of the customer apparatus are inhibited until and 
unless a corresponding permission code is supplied to the customer apparatus when 
installed at the customer location. 

The point of sale system may comprise a point of sale device (as broadly 
defined above) together, optionally, with ancillary systems connected to the point of 
sale device. For example the point of sale system might comprise an EPOS terminal 
and a programming unit located in a stock room away from the EPOS terminal and 
arranged to programme the apparatus, for example via a power supply signalling 
interface. 

An electronic commerce system in accordance with the invention will now 
be described by way of example only with reference to the accompanying drawings 
of which: 

Figure 1 is a block schematic diagram of a communications and control 
network; 

Figure 2 is a block schematic diagram of the home control centre of figure 1 
modified to provide additional features of the invention; 

Figure 3 is a block schematic diagram of adapted consumer premises 
apparatus; 

Figure 4 is a flow chart showing the operation of the home control centre of 

figure 2; 

Figure 5 is a flow chart showing the operation of relevant circuits of the 
consumer premises equipment of figure 3; 
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Figure 6 is a block schematic diagram of apparatus in the remote operations 

centre; 

Figure 7 is a flow chart showing functionality of the operation of the remote 
operations centre of Figure 1 ; 

Figure 8 shows a flow chart of an information request response in the 
remote operations centre; 

Figure 9 shows operation of a capability change section of the operations 

centre; 

Figure 10 shows a further flow chart in relation to a keyed changed request 
from a home control centre to the remote operations centre; 

Figure 1 1 shows a flow chart of a part of an EPOS terminal; 

Figure 12 shows operation of the processor of the apparatus of Figure 3 in 
respect of a specific function request: and 

Figure 13 shows a block schematic diagram of an EPOS terminal modified in 
accordance with the invention. 

Figure 1 , to which reference has already been made, shows an 
implementation of a communications and control network of the kind modified by the 
present invention and as disclosed in European patent application number 960406. A 
detailed explanation of the arrangement shown in Figure 1 may be had by reference 
to the previous application in respect of coding of electrical appliances 5 and only a 
limited description of the functionality of the remote operations centre (ROC) and 
home control centre (HCC) in respect of the prior art will be given herein. 

Referring to Figure 2, the HCC 2 of Figure 1 comprises a processor 23, with 
associated data stores 24, 26. As described hereinafter, the processor has an 
analogue shift key (ASK) signalling interface 25 for communicating on the mains 
electricity supply 6. For completeness it is noted that the ASK interface 25 may be 
replaced by other signalling arrangements communicating by way of the mains 
electricity supply. In alternative arrangements radio transmission or Intranet or 
telephony line communication may be used in place of the ASK interface 25 or in 
addition thereto. Thus, whilst herein communication is described as being on the 
mains electricity supply to electrical appliances and/or detectors and/or sensors, it 
should not be taken as limiting the invention to communication by way of the 
electricity supply. 



WO 01/75705 



PCT/GB01/00959 



6 

The processor is also shown as having access to a tone generator modem 22 
for communication by way of network termination equipment 20 to telephone lines 7. 
again, while herein communication is described as being by way of the telephony 
network and location data is derived from calling line identity (CLI), it should be 
5 appreciated that other communications methods and location identification may be 
used including, but not limited to, used of cellular networks for communication 
including triangulation between cellular network masts to determine the location 
identity. Low Earth orbital satellite and/or direct radio communication between the 
HCC 2 and ROC 4 may also be used while global positioning by satellite (GPS) and/or 
10 burnt in identification of the HCC 2 should not be considered to be excluded. 

Furthermore, in descriptions hereinafter relating to modified appliances and/or 
sensors and/or environmental alarms and the like, while a specific form of 
communication between such devices and the HCC may be specified these should 
not be taken as excluding other forms of communication. 
15 Referring now to figure 3, in a protected or controlled appliance (e.g. 5 of 

Figure 1), modification of the process control 15 within the appliance (which may be 
any electrically operable or electro mechanically assisted device) requires the process 
control to signal to operational circuits of the appliance. 

Thus the process control 15 has an ASK interface 14 for communicating by 
20 way of the electrical main circuit 6 with the HCC 2. The HCC 2 returns control 
information to the process control 15 by way of the mains electrical circuit 6 and the 
ASK interface 14 to permit or deny activation of operational circuits. As discussed in 
the earlier European patent applications mentioned above, one method of 
discouraging theft is to have the power supply of the appliance 5 cease to supply 
25 power to the operational circuits unless or until the process control 15 has received 
an appropriate code downloaded from a ROC by way of the HCC 2. Thus initially, the 
device until coded forwards a message to the electrical power supply circuit 6 each 
time it is connected requesting a coding. Once connected in premises at which a 
HCC exists then it will receive coding with which it will compare subsequently 
30 received codes prior to operation. On first coding it will also receive a "blanking" 
code which is know only to the coded appliance and to the ROC, the blanking code 
being transmitted to the HCC only on specific request of a legitimate authority 



WO 01/75705 



PCT/GB01/00959 



7 

(owner) to enable decoding of the appliance to permit its bona fide transfer to 
another party. 

In the present invention, in addition to receiving operation and blanking 
codes, the HCC also includes the ability to transfer additional information to the 
5 process control 1 5 this information including identity of "capability sets" and timer 
information. The capability sets are programmed in to a memory 19 and define which 
functions of the appliance are available for use. For example, in a television set, the 
channels available to be used may be held in the capability set along with times at 
which such channels are to be available. Thus when a function is requested by use of 
10 a keypad or remote control handset, indicated by function select 13, the process 
control may determine from the capability set in combination with other factors such 
as time of day or day of week whether the appropriate function is available. The 
process control may thus permit or refuse activation of the appropriate function 
which enables the functionality of the apparatus to be varied from the ROC 4 by way 
1 5 of the home control 2 to the process control 15. 

This facility therefore allows service providers, for example satellite or 
terrestrial broadcast television service providers, to permit or deny access to certain 
channels by way of a secure route. Further, the arrangement permits parental control 
of times and channels available for example. 
20 A further advantage of the arrangement hereinafter described is that 

appliances may be coded through the supply chain from manufacturer, to wholesaler, 
to retailer, to end customer so that theft in transit is more difficult and electronic 
sales (for example by way of the Internet) can be secured. Thus even if an attempt is 
made to purchase goods or services using fraudulent means, for example by quoting 
25 another person's card account number or by using a stolen credit or debit card, the 
goods will be of no benefit to the fraudulent user since they will be pre-coded at the 
point of sale to the specific premises of the proper card owner. In this way, delivery 
of electrical goods to a specific address is secured since any theft will leave the thief 
with an unusable apparatus which is readily traceable to its proper owner and which 
30 may reveal its location to proper authorities to facilitate recovery. 

Turning now to figure 4, the processor 23 of the HCC 2 of Figure 2 is 
normally quiescent in a main state 900 until it receives, by way of the mains 
electrical circuit 6, an "unlock request" message (901) from an appliance 5. The 
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message includes the identity of the requesting apparatus by type, manufacturer and 
electronic serial number. If the requesting apparatus is not in the list of appliances 
held in the volatile data store 24 then by way of the path 906 to 970 coding is 
requested from the ROC 4 by way of the PSTN 1 . Various checks are made to ensure 
5 that the requesting appliance codes appropriately and that the new equipment is now 
included in the appliance list. Full details of this part of the operation are disclosed in 
the earlier published European applications, including a more complete flow chart for 
those operations involved after the commencement of the Lock Enable Timer at step 
910. 

10 Assuming that the requesting apparatus is in the list held in the data store 24 

then at step 903 the message type is analysed to determine how the message is to 
be handled by the HCC. If the message is an environmental alarm (944) then it is 
handled in a manner described in other co-pending patent applications of the 
proprietor to ensure that appropriate response to the alarm occurs. This is indicated 

1 5 here for the sake of completeness only. 

Similarly, if the message indicates a basic type appliance (that is one coded 
only for the purposes of permission to operate when re-connected to power after 
disconnection) then the Signal Group Basic route 945 is followed. Thus at 946 a 
check is carried out to determine whether in respect of the particular appliance the 

20 blanking code is present and, if so, the equipment is ordered to decode itself as 
disclosed in published European patent application no 960407 which includes a full 
flow chart in respect of the code blanking activity. 

However, if at step 946 the blanking code is not present, this being the more 
usual status, then the unlock code is recovered from the data store (904) and is 

25 transmitted as an unlock response (905) to the mains electrical supply 6. It should be 
noted that where a precoded appliance (from an electronic sale record) is first 
connected to a supply in the premises 3 its unlock code will already be present in the 
equipment list of the HCC 2 provided that the equipment is licitly present in the 
premises and that the HCC has either made a connection to the ROC 4 in the period 

30 between coding and delivery and connection or has been forced to make such a call 
by the owner causing a reset of the HCC 2. In the alternative, where the equipment 
is licitly present in the premises, when the HCC receives an unlock request it will 
follow the path indicated at step 902 and the ROC 4 will recognise the coding 
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request and return the appropriate (already stored) coding for the appliance to 
operate. 

It will be realised that if the ROC receives a coding request from apparatus in 
an incorrect location it may not return a valid coding and may cause an alert to be 
5 provided to appropriate authorities. However, there may be advantages in allowing 
the apparatus to operate on a temporary basis, for example by returning a coding 
with a short time decay (hereinafter discussed) so that a fraudulent operator of the 
appliance may not realise that the authorities are aware of the illicit operation and its 
location. 

10 Returning once again to step 903, if a signalling group information message 

is received indicating a request for capability set information more detailed than a 
simple authorisation code, then at step 947, the processor 23 determines whether 
there are instructions for the apparatus in the list. If at step 947 instructions exist 
then the information message is returned through the ASK interface 25 at step 952 
1 5 and the HCC resumes its quiescent state. 

Now, if at step 947 instructions in respect of the particular apparatus have 
not previously been received and stored then a call is established through the PSTN 
to the ROC 4 and an equipment information required message is transmitted (948). 
The ROC 4 will respond with an equipment information response message (949) and 
20 the processor 25 determines whether the message includes information to be stored 
either in respect of the particular request or additional thereto (950). If not then the 
received information is passed through the ASK interface to the mains as a transmit 
information message (952) prior to the quiescent state being resumed. 

If the received message from the ROC 4 includes information to be stored 
25 then the list held in the data store 24 or 25 is updated (951) in accordance with the 
message and the information responding to the request received is then transmitted 
as before at step 952. 

Considering now the operation of process control 1 5 of figure 3 and referring 
also to figure 5, from a quiescent state 50, the process control may be interrupted or 
30 triggered as a result of user action or as a result of timer permissions decaying to 
zero. Considering first the re-connection (or first connection) of electrical power to 
the apparatus, as indicated at step 51, the process control causes an Unlock Request 
Message to be transmitted 52 and commences a cover timer 53 for response from 
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the HCC 2 as previously described with reference to Figure 4. Four potential exits 
from the timer waiting state may be received representing respectively the outputs 
of the HCC 2 of System Lock Enable (909), Blank Instruction (912), Unlock Response 
(905) or the internal timer of the appliance expiring with no response being received. 
5 The process followed in respect of each of these responses to an Unlock Request 
(SG Basic) message is fully disclosed in the prior published European Patent 
Applications mentioned hereinbefore and further description here is not deemed 
necessary. 

Turning to the other possible exits from the quiescent state 50, the user may 

10 force a request to the HCC 2 by activating a reset function either directly or through 
remote control in order to activate or de-activate a capability in the controlled 
apparatus. Thus if the user has made arrangements with a supplier to allow additional 
functionality or reception of an additional television channel from a service provider, 
resetting the system (56) causes an SG Plus message (57) to be transmitted by way 

15 of the ASK interface 14 to the mains supply line 6 and thence to the HCC 2. 
Following transmission of the request message a cover timer is started (58) while 
awaiting the response from the HCC 2. If, as expected, an information message is 
received (59) (transmitted as hereinbefore described at 952 of Figure 4) then any 
additional capability set "Y" may be stored as active in the data store 16 together 

20 with an appropriate timer associated therewith (if any) at step 61 . 

Alternatively, if the information message received includes a multiple 
capability set activate and/or deactivate instruction (possibly with respective 
associated decay timers) then these are stored at as indicated at steps 62 and 63. 

A further facility which may be provided by the control system of the 

25 invention allows for sensors to be provided which may be smart card, smart badge, 
or passive or biometric sensors so that the presence or absence of a particular card 
or badge may be used to modify or determine the facilities provided. Thus, as 
indicated at step 64, if there is a change in the card presence this may cause the 
process control 15 to generate an SG plus message as before following the steps 57 

30 et sequenda.. This enables the particular apparatus to provide certain facilities only 
when an appropriate card is present. Thus a television set or video may have certain 
capabilities turned off unless a card indicative of adult presence is present such that 
parental control of channels viewed for example may be effected. 
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Sensor presence may also be a limited period authorisation such that the 
timer decays and causes a further SG Plus message to be transmitted as indicated at 
step 65. On one of the timers decaying to zero in the data store 16 and process 
control 15, the associated capability set "X" is marked as disabled (66) and a 
5 message transmitted as before. This will result either in an information message 
including a renewed time for the capability set or a disable message as appropriate 
through steps 59 to 63. 

Note that if the cover timer started at step 58 expires (67) without an 
information message being received then the process control assumes that the 
10 previous capability set authorisation pattern remains in force minus any capability set 
{step 68) which for which the respective timer decayed to zero. 

In the absence of an information message the process control may set a 
further timer to force an SG plus message at a subsequent time to attempt an update 
of the capability sets. 

15 Turning now to figure 12 while continuing to refer to figure 3, if, through the 

function select entry 13, a function is requested then the process control reads the 
current capability set(s) which are active (step 71) and determines whether the 
particular function is controlled (step 72). If the function is an open function 
("Always") then as indicated at step 73 the function is implemented and the 

20 controlled appliance responds to the function request appropriately. If the function is 
disabled ("Never") then a record of the request may be entered in an exception log 
(step 74) and a display activated (step 75) indicating that the function is unavailable. 

The third possibility is that the capability set requires that the function 
requested is "authorised" each time it is activated. Thus at step 76 an information 

25 request message is transmitted to the HCC 2 and a cover timer started (77). On 
receipt of an information response (78) the process control will store any 
modification to the capability set authorisation (with a decay timer if present) and will 
again read the capability set. If the timer set at step 77 expires then the process 
control may check the number of attempts made (step not shown) and will either 

30 return to reading the capability set or will step to reject the request. 

Note that for any particular function request the number of attempts to 
check authorisation may be bounded so that only a single request for information is 
made in respect of the function requested and if not authorised the requested 
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function may be rejected. It will be appreciated that the cover timer started at step 
77 must be sufficient in some circumstances to allow for the HCC to effect a modem 
interchange with the ROC in case there should be a third party authorisation entered 
through the remote centre. 
5 Referring now to figure 6, the ROC in its simplest form comprises a computer 

30 with associated data storage 31 and communications capabilities represented by 
telephone lines 37 and modems 33. Location detection represented by CLI detector 
32 is also provided, noting that GPS may also be detectable. Much of the 
functionality of the ROC of figure 6 has been described in the proprietors earlier 
10 applications such that only a representative selection of program instances are from 
the previous operational description are shown in figure 7 to which reference is now 
also made. 

Thus the first process shown (81 1 ) is a response to a HCC 2 requesting an 
equipment list. The HCC 2 will lose data from the volatile data store 24 (of figure 2) 

15 if power is removed for any reason. It is therefore necessary for the ROC to return a 
complete listing to the HCC to enable apparatus in the controlled premises to 
function. Thus at step 812 the location identity is recovered (from CLI detector 
32/GPS or wired coding from the message) and a comparison made to determine 
whether the location is valid (line ID Registered 813). An attempt from an 

20 unauthorised source (including an invalid combination of identity and wired coding) 
will result in the termination of the interchange (816) and a record being made of the 
call (step 817). Appropriate authorities may be notified of the attempt if there has 
been an indication that the HCC making application has been fraudulently removed 
from its previous location. 

25 If there is a valid registration of the requesting HCC then the equipment 

listing and codings appropriate to the premises in which the home control is located 
will be loaded (step 814) and encompassed in a message for return through the PSTN 
(815). 

In the Equipment code required (step 820) process, when a request is 
30 received 820 then as previously location data is checked (822,823) before location 
code and equipment code and blanking codes are determined (824, 825). It should be 
noted here that where a pre-coded appliance (hereinafter described) causes 



WO 01/75705 



PCT/GB01/00959 



13 

application for an equipment code and there is an indication of invalid location of the 
appliance an appropriate action may be taken (steps not shown). 

Once codings for the requesting appliance have been determined then an 
equipment code response is transmitted 827 and a timer for confirmation of coding 
5 826 is started. If on expiry of the timer no response has been received then a further 
attempt to transmit codings may be made and/or a query may be entered against the 
record of the appliance in the appropriate equipment list. Assuming that an 
equipment stored confirm message is received (828) then the cover timer is stopped 
(829) and the process ended. 
10 Turning now to figure 8, where a message from a HCC 2 to the ROC 4 is an 

information request (70) as before, the location of the calling control centre is 
checked (71,72) and if not valid the request rejected (73) and a record of the attempt 
made (74). 

Assuming validity of the information request message then data for the 

15 particular location (capability sets, timers, new apparatus) is recovered (75) from the 
data store 31 and an information response message encapsulating that data is 
transmitted (76) back through the PSTN. 

In figure 9 there is shown a process whereby a service provider or appliance 
retailer may register changes against a particular customer location. Thus, the 

20 supplier forwards a capability change message which is received at the ROC (step 
80) and the identity of the supplier checked (81) and validated (82). Assuming that 
the supplier is appropriately identified the HCC is identified from the message content 
and a check carried out to ensure that the HCC is registered (84). 

If the capability change requested is subject to agreement from the HCC user 

25 then a check is made to ensure that the end user has given permission (85) prior to 
responding to the change request. If the change is simply one requiring a capability 
set modification then the appropriate information is amended (86) in the data store 
31 so that on the next application of the respective HCC for information the amended 
capabilities are transmitted. A notification message is returned to the supplier at step 

30 87 and the process terminates. 

If at step 86 it is necessary to allocate a new item or appliance to the HCC 
then appropriate codings are generated and stored and these will be notified to the 
supplier so that the appliance being supplied or sold may be appropriately coded. 
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If there is any failure of any of the validity or permit checks (82, 84, 85) a 
non implementation message is transmitted back to the requesting supplier (88) 
which may include a reason for non implementation and the interchange of 
information terminates (89). A record of the transaction attempt may be made in an 
5 exception log (90). 

Figure 13 shows a modified EPOS terminal suitable for implementing the 
invention. Thus the terminal includes a processor 123 having an associated data 
store 126. Normal functionality of the terminal is provided by a keypad 128 and 
swipe card reader 129 combination enabling credit cards to be swiped and credit 

10 authorisation to be sought by way of the PSTN through a modem122 and network 
termination 1 20 to a telephone line 127. Note that this authorisation step may be 
omitted if there are arrangements between the card issuer and the operator of the 
remote operations centre of the invention to effect validation through a more direct 
communication. A smart card sensor 130 (which may also be responsive to other 

15 kinds of identification methods) is provided to enable customer identifying data to be 
read which data may also identify the customers HCC. 

An appliance being sold to the customer is now connected to an appliance coding 
point 131 which may simply be an electrical socket supplied with normal mains 
electrical power. This enables the processor to communicate with the appliance 

20 through an ASK interface 125. 

Now an appliance connected to the mains electrical power, if including the 
appropriate programming causes a request for code to be transmitted to the mains 
power line as previously described. This data is captured through the ASK interface 
1 25 by the processor 1 23 so that any existing coding protecting the appliance 

25 through the supply chain can be forwarded to the ROC 4. 

Thus as previously discussed with reference to figure 11, once the processor 123 
has acquired all necessary data (including the appliance code, customer identity, 
home control centre identity) it will initiate a call through the tone generator and 
modem 122 to the remote operations centre 4 and will await a response. Assuming 

30 now that the response is an acceptance then the current coding and blanking code 
for the connected appliance will be received together with the new authorisation 
code and blanking code for the appliance which codes are now stored at the ROC in 
the appropriate home control centre list associated with the customer. 
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The processor 1 23 uses the received message data firstly to blank the existing 
coding from the appliance (which may have been present from manufacture) and then 
to re-code the appliance to the coding provided by the ROC. This coding is again 
carried out by way of the ASK interface 125 and appliance coding point 131. Once 
5 coded, the appliance may be disconnected from the connection socket. Any 
subsequent re-connection of the appliance other than at the location identified from 
the credit/smart card and/or biometric identity will result in restricted capability or 
non-operation of the appliance as hereinbefore referenced. 

Turning now to Figure 1 1, the supplier chain EPOS terminal interchange with 
10 the ROC 4 is considered in more detail. Thus, when a sale is being made (91) the 
customer smart card (specific to premises or credit or debit cards etc.) is used to 
determine the identity of the customer 92. A check on the validity of the tendered 
identity and/or PIN entered may be made (93) and any relevant credit authorisation 
acquired (step not shown). Any failure may be recorded in an exception log (94) and 
15 a notification message may be sent (95) to an appropriate third party (Credit issuer, 
law enforcement agency) . 

Assuming now that the transaction is determined as valid (93) then a call is 
established to the ROC and a capability change message transmitted (96). A 
response timer is started (97) and a response message from the ROC awaited. If the 
20 response message is an acceptance and includes coding information then this is 
transferred (99) to the appliance by way of its normal communications path, probably 
through a mains power connection. 

Note that if the timer expires a number of attempts may be made to repeat 
the transaction validation and coding process with the ROC and only if the maximum 
25 number of attempts is exceeded (101) is a record made in an exception log (102). 

Now if for any reason the ROC returns a not implemented message then a 
record may be made in the exception log and, depending upon the reason for 
rejection, appropriate notifications to third parties may be made. 

It is here noted that where a service supplier provides capability change 
30 information to the ROC 4 the program of figure 1 1 may simply terminate once an 
acceptance message is returned since no coding message need be returned. 

In a further process available at the ROC 4, referring now to figure 10, where 
a keyed entry to the HCC 2 is made once the complete change has been identified in 
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the HCC 2 (process not shown) the HCC transmits a keyed change request to the 
ROC. Such a request maybe in respect of modification of capability sets, time of 
availability, availability only on sensed presence and the like whereby user authorities 
are modified by the user. 
5 Thus when the ROC receives a keyed change request (110) the HCC is 

identified (111) and the usual identity and validity checks are carried out (112, 113 
114). Assuming that the request is valid then the data for the appropriate HCC is 
recovered (1 15) from the data bank 31 to enable a check to be carried out (1 16) on 
any required PIN entry or smart card presence prior to modification of the respective 
10 data and an information message including the updated information being transmitted 
(118). 

For the avoidance of doubt it is here noted that the term HCC should not be 
construed as limiting the application of the invention to domestic premises since the 
control mechanisms and methods disclosed hereinbefore may be equally applied to 
1 5 non domestic premises with little variation in the implementation. 



WO 01/75705 



PCT/GB01/00959 



17 
CLAIMS 

1 . A method of operating an electronic commerce system, including 

a) receiving at a point of sale device a customer transaction order for a 
5 customer apparatus and 

b) subsequently conveying the customer apparatus to the customer 
characterised by a step initiated at the point of sale device of programming 

the customer apparatus with a permission code specific to a customer location and in 
that at least some of the capabilities of the apparatus are inhibited until and unless a 
10 corresponding permission code is supplied to the customer apparatus when installed 
at the customer location. 

2. A method according to claim 1 including 

reading at the point of sale device data identifying the customer, 
1 5 communicating to a remote operations centre connected to the electronic 

commerce system by a communications network a request for the said permission 
code specific to the customer location and 

receiving the said code from the remote operations centre via the 
communications network. 

20 

3. A method according to claim 1 or 2, in which, at the customer location, the 
corresponding permission code is received from the remote operations centre by an 
interface unit in communication with a plurality of customer apparatuses. 

25 4. A method according to claim 3, in which the apparatus is connected to a fixed 
power supply circuit and data is communicated between the interface unit and the 
apparatus via the said fixed power supply circuit. 

5. A point of sale system for use in electronic commerce characterised by a 
30 programming data interface for connection to a customer apparatus and arranged to 
programme the customer apparatus with a permission code specific to a customer 
location whereby, in use, least some of the capabilities of the customer apparatus are 
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inhibited until and unless a corresponding permission code is supplied to the customer 
apparatus when installed at the customer location. 

6. A system according to claim 5, further comprising a customer data interface 
5 arranged to receive data identifying the customer. 

7. A system according to claim 5 or 6, further comprising a remote communications 
interface arranged to transmit via a communications network to a remote operations 
centre a request for the said permission code. 

10 

8. A method according to claim 2, in which the data identifying the customer is read 
from a transaction card holding customer account data. 



9. A transaction card programmed with data for use in a method according to claim 
15 8. 
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